How I asked my High School Sweetheart to Prom

7-21-14

A few years ago, I had to ask someone to prom. I thought about it long and hard; I wanted to do something unique. I figured since we were both techies, it would make sense to go that route. I contemplated different vectors; she was too smart to download and execute an attachment, and "borrowing" her laptop was too risky.

Finally, I realized something. That night, I received some excited messages. Her Tumblr blog had turned into this:

Here's the technical explanation of what happened. A few months prior, we were debugging an issue with the infinite scroll script she was using. We figured it out, but needed a publicly accessible place to store it. I volunteered a host I had access to.

Fast forward, and I realized her blog was still sourcing JavaScript from that server. Excellent.

I wanted the interface to appear for only her, and then display messages to her visitors once she answered, so I needed to figure out her IP address. I found a dumb picture on Facebook, built a log and redirect script, ran it through a URL shortener, and she was none the wiser:

In laymen's terms, when she clicked the shortened link for the image, it bounced off my server, which immediately bounced it back to the desired image. In the middle of that, my server logged the external IP address that requested the page. Since this was all done using HTTP headers, there was no back history or anything obviously suspicious about what happened.

After that, it was simply a matter of building an interface and adding the code for it to the JavaScript file that her blog was still loading from my server. Since her blog was loading code that I had access to, I could do pretty much anything to the client side page that I wanted, without having to actually access her account at all.

My payload would check against my server if the IP address was hers, and if so, it would render the interface and allow her to answer yes or no. In the event that she said no, ugly messages would be shown to her viewers until she removed the script from her template.

Thankfully, no ugly messages were ever seen. She answered correctly.

And that, my friends, is why you never load untrusted JavaScript how I asked my high school sweetheart to prom.